How do I force DNS hard-coded devices (like the Roku) to use Pi-hole, while allowing my PCs to bypass Pi-hole?

bobsmith · August 22, 2018, 5:39am

I have installed Pi-hole on a Raspberry Pi and it all looks great. I'm using it in my home network, which consists of 2 Linux Mint PCs and 3 Rokus. I want the Roku's telemetry/spying to be sent to Pi-hole, and I want the two PCs to bypass Pi-hole and use Cloudflare. Since the Rokus are hard-coded to use a public DNS server, it is my understanding that I need to force port 53 on my TP-Link Archer C7 router to use Pi-hole's IP address. But that will also force the 2 PCs to use PiHole, which I don't want. How can I force the Rokus to Pi-hole, while allowing the 2 PCs to bypass Pi-hole? Thanks!

DL6ER · August 22, 2018, 7:24am

You can easily achieve this with four firewall rules. First, specify fixed IP addresses for you two PCs. Then, add iptables (or whatever is supported by your router) rules in the following order:

Permit outgoing port 53 if source IP == PC1
Permit outgoing port 53 if source IP == PC2
Permit outgoing port 53 if source IP == Pi-hole
Reroute outgoing port 53 to Pi-hole for all other requests

But why do you want to bypass the Pi-hole for the PC instead of protecting / ad filtering them just as well?

bobsmith · August 22, 2018, 11:27pm

Thanks DL6ER! I wanted to bypass the PCs because I read somewhere that I wouldn't be able to use a VPN on the PCs without DNS leaks, and I didn't want to get in over my head. But now I think I wasn't understanding the whole picture. I use my VPN's client (AirVPN's client which is called "Eddie"), and I think the client will just take over and bypass Pi-hole altogether, so there should be no need to worry about DNS leaks as long as I use the VPN's client (and verify there are no leaks). So now all I need to do is set up my router to force port 53 to Pi-hole, so the Roku's are forced to go to Pi-hole. And I can do that by following #3 and #4 in your post above, correct? Again, thanks for your help.

DL6ER · August 24, 2018, 4:27pm

Yes. It is essential to also have #3 because otherwise, infinite loops are created.

reg · September 9, 2018, 10:21pm

I am a bit late to the dance, but on the PC's you can just specify the DNS server that you want them to use in their network configuration. They can bypass the DNS info they get via DHCP. I am not sure where the roku gets it's DNS from, I suspect it is getting it via DHCP as I am seeing lots of DNS traffic from the rokus IP address on the Pi-hole.

system · September 30, 2018, 10:21pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.